Skills
skills/yelban/baoyu-skills.tw/baoyu-danger-x-to-markdown/Gen Agent Trust Hub

baoyu-danger-x-to-markdown

Warn

Audited by Gen Agent Trust Hub on Mar 14, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes shell commands to resolve system environments and manage browser processes.
  • scripts/paths.ts uses execSync to run cmd.exe /C "echo %USERPROFILE%" and wslpath when operating within WSL to locate the Windows home directory.
  • scripts/cookies.ts uses spawn to launch a web browser (Google Chrome or Microsoft Edge) with remote debugging enabled (--remote-debugging-port) and a custom user data directory to automate cookie extraction.
  • [CREDENTIALS_UNSAFE]: scripts/constants.ts contains a hardcoded bearer token (DEFAULT_BEARER_TOKEN). While this appears to be a public token used by the X web application, hardcoding authentication secrets is a poor security practice.
  • [DATA_EXFILTRATION]: The skill's primary authentication mechanism involves reading and writing sensitive session cookies to the local file system (cookies.json).
  • scripts/cookies.ts extracts auth_token, ct0, gt, and twid cookies from a browser instance via the Chrome DevTools Protocol (CDP).
  • scripts/cookie-file.ts manages the persistence of these credentials in the user's application data directory.
  • [EXTERNAL_DOWNLOADS]: scripts/media-localizer.ts performs network requests to download images and videos from X media servers (pbs.twimg.com, video.twimg.com) to the local machine and rewrites markdown links to point to these files.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8).
  • Ingestion points: Untrusted data enters the agent context via the X API when fetching tweets or articles (scripts/main.ts).
  • Boundary markers: The output uses YAML frontmatter delimiters (---) and Markdown headers to separate metadata from content.
  • Capability inventory: The skill has the capability to write files (writeFile in main.ts), execute system commands (execSync and spawn in paths.ts and cookies.ts), and make network requests (fetch in http.ts).
  • Sanitization: Basic sanitization is performed via sanitizeSlug and escapeMarkdownAlt, but raw tweet content is interpolated into the final Markdown output, which could influence downstream agent actions if the Markdown is subsequently parsed or executed.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 14, 2026, 06:32 AM